Skip to content

Commit

Permalink
ci: set restrictive egress rules on runners
Browse files Browse the repository at this point in the history
- Following up on StepSecurity upgrades, runners now block egress
  traffic by default and allow only specific trusted endpoints.
  • Loading branch information
V0ldek authored Oct 31, 2023
1 parent ae2f6d3 commit b9e5dd9
Show file tree
Hide file tree
Showing 13 changed files with 102 additions and 16 deletions.
2 changes: 1 addition & 1 deletion .clusterfuzzlite/Dockerfile
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
FROM gcr.io/oss-fuzz-base/base-builder-rust:v1@sha256:52508f7d366f93c0523297783183ae24307567debdc779ea142517e0132601b9
FROM gcr.io/oss-fuzz-base/base-builder-rust:v1@sha256:ac9054c9c1b969aeb40d26b9bd2a792c2d1dc23f54954d271ddb62c4cc1c8e29
RUN apt-get update && apt-get install -y make autoconf automake libtool
COPY . $SRC/rsonpath
WORKDIR $SRC/rsonpath
Expand Down
12 changes: 8 additions & 4 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,8 @@ updates:
- package-ecosystem: cargo
directory: /crates/rsonpath-test-codegen
schedule:
interval: daily
interval: weekly
day: Monday
time: "20:01"
assignees:
- V0ldek
Expand All @@ -44,7 +45,8 @@ updates:
- package-ecosystem: cargo
directory: /crates/rsonpath-test
schedule:
interval: daily
interval: weekly
day: Monday
time: "20:01"
assignees:
- V0ldek
Expand All @@ -59,7 +61,8 @@ updates:
- package-ecosystem: cargo
directory: /fuzz
schedule:
interval: daily
interval: weekly
day: Monday
time: "20:01"
assignees:
- V0ldek
Expand All @@ -74,7 +77,8 @@ updates:
- package-ecosystem: docker
directory: /.clusterfuzzlite
schedule:
interval: daily
interval: weekly
day: Monday
time: "20:02"
assignees:
- V0ldek
Expand Down
10 changes: 9 additions & 1 deletion .github/workflows/book.yml
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,15 @@ jobs:
- name: Harden Runner
uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
with:
egress-policy: audit
disable-sudo: true
egress-policy: block
allowed-endpoints: >
github.com:443
api.github.com:443
crates.io:443
index.crates.io:443
static.crates.io:443
static.rust-lang.org:443
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
Expand Down
5 changes: 4 additions & 1 deletion .github/workflows/closed-issue.yml
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,10 @@ jobs:
- name: Harden Runner
uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
with:
egress-policy: audit
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
- uses: V0ldek/modify-label@65905feb4c09417e7caed08928595a0b4f9b3d42 # v1.0.0
with:
Expand Down
13 changes: 12 additions & 1 deletion .github/workflows/clusterfuzzlite-batch.yml
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,18 @@ jobs:
- name: Harden Runner
uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
with:
egress-policy: audit
disable-sudo: true
egress-policy: block
allowed-endpoints: >
github.com:443
crates.io:443
index.crates.io:443
static.crates.io:443
archive.ubuntu.com:80
security.ubuntu.com:80
static.rust-lang.org:443
gcr.io:443
storage.googleapis.com:443
- name: Build Fuzzers (${{ matrix.sanitizer }})
id: build
Expand Down
13 changes: 12 additions & 1 deletion .github/workflows/clusterfuzzlite-cron.yml
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,18 @@ jobs:
- name: Harden Runner
uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
with:
egress-policy: audit
disable-sudo: true
egress-policy: block
allowed-endpoints: >
github.com:443
crates.io:443
index.crates.io:443
static.crates.io:443
archive.ubuntu.com:80
security.ubuntu.com:80
static.rust-lang.org:443
gcr.io:443
storage.googleapis.com:443
- name: Build Fuzzers
id: build
Expand Down
13 changes: 12 additions & 1 deletion .github/workflows/clusterfuzzlite-pr.yml
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,18 @@ jobs:
- name: Harden Runner
uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
with:
egress-policy: audit
disable-sudo: true
egress-policy: block
allowed-endpoints: >
github.com:443
crates.io:443
index.crates.io:443
static.crates.io:443
archive.ubuntu.com:80
security.ubuntu.com:80
static.rust-lang.org:443
gcr.io:443
storage.googleapis.com:443
- name: Build Fuzzers (${{ matrix.sanitizer }})
id: build
Expand Down
6 changes: 5 additions & 1 deletion .github/workflows/dependency-review.yml
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,11 @@ jobs:
- name: Harden Runner
uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
with:
egress-policy: audit
disable-sudo: true
egress-policy: block
allowed-endpoints: >
github.com:443
api.github.com:443
- name: "Checkout Repository"
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
Expand Down
13 changes: 12 additions & 1 deletion .github/workflows/nix-shell.yml
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,18 @@ jobs:
- name: Harden Runner
uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
with:
egress-policy: audit
egress-policy: block
allowed-endpoints: >
github.com:443
crates.io:443
index.crates.io:443
static.crates.io:443
static.rust-lang.org:443
nixos.org:443
cache.nixos.org:443
channels.nixos.org:443
releases.nixos.org:443
tarballs.nixos.org:443
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
Expand Down
9 changes: 8 additions & 1 deletion .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -91,7 +91,14 @@ jobs:
- name: Harden Runner
uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
with:
egress-policy: audit
disable-sudo: true
egress-policy: block
allowed-endpoints: >
github.com:443
crates.io:443
index.crates.io:443
static.crates.io:443
static.rust-lang.org:443
- name: Run prologue script
if: matrix.prologue-script != ''
Expand Down
14 changes: 13 additions & 1 deletion .github/workflows/rust.yml
Original file line number Diff line number Diff line change
Expand Up @@ -91,7 +91,19 @@ jobs:
- name: Harden Runner
uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
with:
egress-policy: audit
egress-policy: block
allowed-endpoints: >
github.com:443
api.github.com:443
azure.archive.ubuntu.com:80
esm.ubuntu.com:443
motd.ubuntu.com:443
crates.io:443
index.crates.io:443
static.crates.io:443
static.rust-lang.org:443
packages.microsoft.com:443
ppa.launchpadcontent.net:443
- name: Cache restore (MinGW)
id: cache-restore-mingw
Expand Down
6 changes: 5 additions & 1 deletion .github/workflows/test-codegen.yml
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,11 @@ jobs:
- name: Harden Runner
uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
with:
egress-policy: audit
egress-policy: block
allowed-endpoints: >
github.com:443
azure.archive.ubuntu.com:80
static.rust-lang.org:443
- name: Install lld
run: sudo apt install lld
Expand Down
2 changes: 1 addition & 1 deletion crates/rsonpath-benchmarks

0 comments on commit b9e5dd9

Please sign in to comment.